RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 19:17:44 +00:00
Code Issues Activity Actions

LibWeb: Fix use-after-free in CSSNamespaceRule parsing

Browse source 
Holding the `prefix` as a StringView meant it pointed at string data
held by `token`. `token` gets reassigned shortly afterwards, meaning
`prefix` would hold invalid character data.
This commit is contained in:
Sam Atkins 2023-08-07 17:29:38 +01:00 committed by Sam Atkins
parent 5042c903be
commit 6c2ed0f51b
3 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Userland/Libraries/LibWeb/CSS/CSSNamespaceRule.h
View file

@ -14,7 +14,7 @@ class CSSNamespaceRule final : public CSSRule {
WEB_PLATFORM_OBJECT(CSSNamespaceRule, CSSRule);
public:
static WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> create(JS::Realm&, Optional<StringView> prefix, StringView namespace_uri);
static WebIDL::ExceptionOr<JS::NonnullGCPtr<CSSNamespaceRule>> create(JS::Realm&, Optional<DeprecatedString> prefix, StringView namespace_uri);
virtual ~CSSNamespaceRule() = default;
@ -25,7 +25,7 @@ public:
virtual Type type() const override { return Type::Namespace; }
private:
CSSNamespaceRule(JS::Realm&, Optional<StringView> prefix, StringView namespace_uri);
CSSNamespaceRule(JS::Realm&, Optional<DeprecatedString> prefix, StringView namespace_uri);
virtual void initialize(JS::Realm&) override;